U.K. Fines Sony over PlayStation Breach

British authorities have fined the European arm of Sony Entertainment Network Â£250,000 - that's nearly $400,000 - for not taking appropriate steps to safeguard customers' personal information when hackers attacked its PlayStation Network in April 2011.

Britain's Information Commissioner's Office, in a report issued on Jan. 24, says its investigation found that the attack could have been prevented if the network's software had been up-to-date. In addition, U.K. authorities contend Sony's technology at the time did not appropriately secure passwords.

A spokesman for Sony Computer Entertainment Europe said in a statement that the company strongly disagrees with the ruling and plans to appeal it.

"The ICO recognizes Sony was the victim of 'a focused and determined criminal attack,' that 'there is no evidence that encrypted payment card details were accessed,' and that 'personal data is unlikely to have been used for fraudulent purposes' following the attack on the PlayStation Network," Sony spokesman Jonathan Fargher said.

The breach revealed the personal information of 77 million customers of Sony's PlayStation Network and Qriocity service, including their names, addresses, dates of birth and account passwords. Customers' payment card details also were exposed.

'Should Have Known Better'

"If you are responsible for so many payment card details and log-in details, then keeping that personal data secure has to be your priority. In this case that just didn't happen, and when the database was targeted - albeit in a determined criminal attack - the security measures in place were simply not good enough," David Smith, deputy information commissioner and director of data protection, said in a statement announcing the fine.

"There's no disguising that this is a business that should have known better," Smith said. "It is a company that trades on its technical expertise, and there's no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe."

The attacks occurred between April 17 and 19, 2011, forcing Sony to shutter the PlayStation network on April 20. The outage lasted for more than three weeks.

Within a month of the attacks, Sony said distributed denial of service attacks camouflaged simultaneous intrusions that resulted in the exposure of the personal information [see Sony: DDoS Masked Data Exfiltration].

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;